In modern telephony networks, media switching and call control functionality are separated. Call control, which includes setting up and tearing down calls and maintaining call state machines, is performed by a network entity referred to as a media gateway controller (MGC). Media stream switching, which includes switching media packets between input and output ports and converting the media packets into the appropriate formats for the sending and receiving parties, is performed by a media gateway (MG). Media gateway controllers communicate call control information to media gateways via a media gateway control protocol. Typical media gateway control protocols, such as MGCP and MEGACO, include commands for communicating information about each endpoint of a session to the media gateway and instructing the media gateway as to how to process packets to be delivered to each endpoint.
FIG. 1 is a schematic diagram illustrating voice sessions between media gateways 100, 102, 104, and 106 interconnected through an IP network 108. Media gateways 100, 102, 104, and 106 may be connected through IP network 108 via multiple paths through a series of next-hop routers. Multiple bidirectional voice sessions may be set up between any two or more of media gateways 100, 102, 104, and 106. As voice packets are received at a media gateway (ingress packets) or exit the media gateway (egress packets), the particular session that a packet belongs to must be identified for proper delivery and/or processing of the packet. The process of assigning a packet to a particular session to which it belongs is commonly referred to as packet classification.
FIG. 2 is a schematic diagram illustrating an exemplary media gateway 200. Referring to FIG. 2, media gateway 200 includes a control module 202, a resource manager 204, a packet switch fabric 206, voice servers 208, and network interfaces 210. Each voice server 208 contains voice processing resources for processing voice-over-IP (VoIP) and time division multiplexed (TDM) voice streams. For example, each voice server 208 may include codecs, VoIP, asynchronous transfer mode (ATM), and TDM chips, and digital signal processing resources for processing VoIP streams. A detailed description of exemplary resources that may be found in voice server 208 can be found in commonly assigned, co-pending U.S. patent application Ser. No. 10/676,233, the disclosure of which is incorporated herein by reference in its entirety.
Control module 202 of media gateway 200 controls the overall operation of media gateway 200 and communicates with media gateway controller 212 to set up and tear down calls. Resource manager 204 of control module 202 allocates new voice sessions to incoming calls. For example, resource manager 204 may assign one of voice servers 208 to a session and store session information for the session in a session table 214 in a memory. Session table 214 is then regularly accessed to classify ingress and egress packets to the appropriate sessions. Although session table 214 is shown logically as a single entity, session tables 214 may actually be distributed among, and accessed by, network interfaces 210, as will be discussed further below.
Voice servers 208 are each assigned individual IP addresses and are each reachable through packet switch fabric 206 via any of network interfaces 210. Multiple sessions may be processed by the same voice server 208. Furthermore, multiple sessions may be established between a given network interface 210 and a given voice server 208 through the packet switch fabric 206. The traffic rate for a given voice server 208 should not be exceeded to avoid degrading the voice quality of calls, or worse, overloading the voice of server 208. For example, a malicious attack can be launched against a media gateway by flooding the media gateway with packets, thereby reducing the call handling capacity, or even overloading, one or more of voice servers 208. While firewall protection mechanisms provide some degree of protection against unauthorized users, voice servers 208 are still vulnerable to receiving excessive packets from authorized users, whether maliciously or unintentionally. For example, once a call is allowed into a media gateway, packets for the session pass through the firewall. If either the calling or the called party send an excessive amount of packets, conventional firewall protection mechanisms are ineffective for preventing these packets from overloading media gateway resources.
Accordingly, a need exists for traffic rate policing in a media gateway to limit a packet traffic rate available to authorized users.